In rush to be GST ready, companies leaving security loopholes

MUMBAI: On the surface, the link between the Goods and Services Tax (GST), India’s biggest-ever tax reform, and ransomware Wanna-Cry appears tenuous.

And yet, to the surprise of a Mumbai based mid-sized company, PwC’s cyber security team stumbled upon security loopholes in the newly implemented information technology (IT) infrastructure for GST, underscoring the risk of the malware that affected 300,000 computers globally.

In their effort to implement the GST as soon as possible, many companies are leaving a lot of vulnerabilities that could hit them hard.

“Everyone is now rushing to meet the deadline of implementation; however, we've noticed that in this hurry, businesses miss out on a number of key security elements. Also, a lot of the critical financial information will soon start traversing the internet, and organisations are still not aware of how information shared for GST may result in significant business risk and, potentially, reveal sensitive business strategies,” said Sivarama Krishnan, leader-Cyber Security at PwC India.

In one of the instances, cyber-security experts were roped in after a public sector insurance company had been hit by WannaCry. “Luckily, the company had been taking a backup on a separate server so only two days of data were lost. However, when we checked the whole system, we found that there were some bugs that could leave an opening for future cyber-attacks on their recently implemented GST IT infrastructure,” a cyber-expert close to the development said.

The time window established by GST for the above steps is quite narrow. Therefore, to assist in the institutionalisation of this process, GST has allowed registered ASPs or GSPs to support suppliers and buyers. The above steps and the existence of intermediaries in the process create unique security risks for vendor organisations and buyers, according to a PwC expert.

“Companies now have to be more cautious since increasingly, business will move online especially with GST and new IT systems that the tax law needs,” said Kartik Shinde, Partner, EY. Indian companies have been facing alot of attacks lately. The recent ransomware, WannaCry, demanded $300 in bitcoins to release the infected system and its data, causing hundreds of millions of dollars in business damage to corporations and government utilities.

“Many companies conducted an audit on their IT systems after the WannaCry attack to see if there were more vulnerabilities and it was discovered that there were several loopholes. Also with the introduction of GST and new involvement of infrastructure being involved, we foresee that more businesses in India would face new challenges with cyber security," said Altaf Halde, Managing Director South Asia, Kaspersky Lab.

India was the third worst hit nation by ransomware WannaCry as about 48,000 computers were affected, even though no major corporate or bank reported disruption to their activities, raising doubts whether these entities are disclosing the attack at all.

“While the recent ransomware attack was a trigger, we found that many companies were vulnerable and have loopholes in a lot of areas. In addition to that, newer variants of the exploit kit used in Wannacry ransomware are already in the making,” said Shinde of EY.

Experts say that if the IT systems aren’t secure, there is a risk of data leakage, data duplication and master data manipulation.

Sachin Bansal, Binny Bansal, sales director Hari, accounts managers Sumit Anand and Sharauque among other employees have been named in the FIR registered on the basis of a complaint lodged by Naveen Kumar, owner of Indiranagar-based C-Store Company.